Alert: 'Ryuk' Ransomware Attacks the Latest Threat

Organizations should be on guard for attacks involving an apparent variant of Hermes ransomware - dubbed Ryuk - that attempts to encrypt network resources. It has already victimized several global organizations in the U.S. and elsewhere, according to a federal alert, which offers mitigation advice.

The Aug. 30 advisory from the Department of Health and Human Services notes that the malware attacks involving Ryuk appear to be targeted.

"At the end of encryption, Ryuk destroys its encryption key and launched a BAT file that will remove shadow copies and various backup files from the disk," the alert notes.

The alert from HHS links to and contains information from an August research advisory from security firm Check Point Software Technologies, which notes that in recent weeks, "at least three organizations in the U.S. and worldwide were severely hit by the malware."

"So far the campaign has targeted several enterprises, while encrypting hundreds of PCs, storage and data centers in each infected company," Check Point notes.

Medical Equipment Firm Hit

Impacted entities include a company in the medical sector, Tim Otis, a Check Point incident response leader, tells Information Security Media Group.

"Our first discovery of Ryuk was during an incident response engagement involving a medical research equipment design and manufacturing company headquartered in the U.S., with locations in Europe," he says. "We have had additional Ryuk cases involving other verticals, such as law firms and convenience store chains both in the United States and abroad."

In its advisory, Check Point notes: "While the ransomware's technical capabilities are relatively low ... some organizations paid an exceptionally large ransom in order to retrieve their files. Although the ransom amount itself varies among the victims - ranging between 15 bitcoins to 50 bitcoins - it has already netted the attackers over $640,000."

Ryuk's "inner-workings" appears similar to Hermes ransomware, "a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks," Check Point writes. "This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the Hermes operators, the allegedly North Korean group, or the work of an actor who has obtained the Hermes source code."

On Sept. 6, U.S. prosecutors charged Park Jin Hyok, a 34-year-old North Korean, for his alleged involvement in some of the most destructive and profitable cyberattacks, including the WannaCry ransomware outbreak, the Sony Pictures Entertainment breach as well as the theft of $81 million from Bangladesh Bank. Prosecutors allege that Park worked with the Lazarus group (see Feds Charge North Korean in Devastating Cyberattacks).

Phishing Campaigns?

HHS warns that Ryuk is systematically distributed via malicious spam campaigns, similar to SamSam, another ransomware that was the subject of an earlier advisory from HHS this year (see HHS Warns of SamSam Ransomware Attacks).

Similar to SamSam, Ryuk attacks appear tailored to each victim organization. "The encryption scheme is intentionally built for small-scale operations," HHS notes. "Only crucial assets and resources are infected in each targeted network. Infection and distribution is carried out manually by the attackers."

HHS did not immediately respond to an ISMG request for additional comment about its advisory.

Hermes Attacks

The Hermes ransomware first gained publicity in October 2017 when it was used as part of the targeted attack against the Far Eastern International Bank in Taiwan, Check Point notes in its advisory. "In that attack, commonly attributed to the Lazarus Group, a hefty $60 million was stolen in a sophisticated SWIFT attack, though it was later retrieved. In this case, it seems the Hermes ransomware was delivered to the bank network as a diversion," Check Point writes.

"In the case of Ryuk, however, there is no doubt that the latest ransomware attacks seen over the past two weeks are by no means just a side-show but rather the main act," Check Point says. "Indeed, with ransom payments as high as those already paid, Ryuk is definitely getting hitting the right note amongst its audience, or rather its victims."

Mitigation Steps

Commenting on the HHS alert, Denise Anderson, president of the Health Information Sharing and Analysis Center, or H-ISAC, formerly known as NH-ISAC, notes: "I don't know that I would call the threat 'imminent'."

But as with all cyber threats, she says, "organizations need to practice sound enterprise risk management - having general situational awareness; understanding the threat, threat vectors and threat actor motivations; knowing the risk surface and risk appetite; monitoring for the threat; and applying appropriate response and mitigation strategies," she tells ISMG.

In its alert, HHS notes that researchers are continuing to analyze Ryuk. The agency points out that the recommended protection and mitigation practices for the related Hermes ransomware include application blacklisting to prevent tools such as vssadmin.exe, cmd.exe and powershell.exe; firewalling off SMB (445) for internal computers; and monitoring Window Security Event logs to capture Scheduled Task creation events - Event ID 4698.

"We believe that the hackers behind Ryuk work on penetrating victims' infrastructures, using exploitation of vulnerabilities in systems deployed at the victims' network," Lotem Finkelsteen, Check Point threat intelligence analysis team leader, tells ISMG. "This means, that first of all they have to manage a practical virtual patching like IPS."

To minimize the potential damage, Finkelsteen says organizations should use an advanced end point security solution.

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.